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Abstract. We consider the problem of secure identification: user U proves to server S that he knows 
an agreed (possibly low-entropy) password w, while giving away as little information on w as possible, 
namely the adversary can exclude at most one possible password for each execution of the scheme. 
We propose a solution in the bounded-quantum-storage model, where U and S may exchange qubits, 
and a dishonest party is assumed to have limited quantum memory. No other restriction is posed 
upon the adversary. An improved version of the proposed identification scheme is also secure against a 
man-in-the-middle attack, but requires U and S to additionally share a high-entropy key k. However, 
security is still guaranteed if one party loses k to the attacker but notices the loss. In both versions 
of the scheme, the honest participants need no quantum memory, and noise and imperfect quantum 
sources can be tolerated. The schemes compose sequentially, and w and k can securely be re-used. A 
small modification to the identification scheme results in a quantum-key-distribution (QKD) scheme, 
secure in the bounded-quantum-storage model, with the same re-usability properties of the keys, and 
without assuming authenticated channels. This is in sharp contrast to known QKD schemes (with 
unbounded adversary) without authenticated channels, where authentication keys must be updated, 
and unsuccessful executions can cause the parties to run out of keys. 



1 Introduction 



Secure Identification. Consider two parties, a user U and a server S, who share a common 
secret-key (or password or Personal Identification Number PIN) w. In order to obtain some service 
from S, U needs to convince S that he is the legitimate user U by "proving" that he knows w. In 
practice — think of how you prove to the ATM that you know your PIN — such a proof is often done 
simply by announcing w to S. This indeed guarantees that a dishonest user U* who does not know 
w cannot identify himself as U, but of course incurs the risk that U might reveal w to a malicious 
server S* who may now impersonate U. Thus, from a secure identification scheme we also require 
that a dishonest server S* obtains (essentially) no information on w. 

There exist various approaches to obtain secure identification schemes, depending on the setting 
and the exact security requirements. For i nstance zero- k nowledge proofs (and some weaker versions), 
as initiated by Feige, Fiat and Shamir [FS86I . FFS87], allow for secure identification. In a more 
sophisticated model, where we allow the common key w to be of low entropy and additionally 
consider a man-in-the-middle attack, we can use techniques from password-based key-agreement 
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(like |KOY0ilGL03 |) to obtain secure identification schemes. Common to these approaches is that 



security relies on the assumption that some computational problem (like factoring or computing 
discrete logs) is hard and that the attacker has limited computing power. 

Our Contribution. In this work, we take a new approach: we consider quantum communication, 
and we develop two identification schemes which are information-theoretically secure under the sole 
assumption that the at tacker ca n only reliably store quantum states of limited size. This model 
was first considered in On the other hand, the honest participants only need to send 



qubits and measure them immediately upon arrival, no quantum storage or quantum computation 
is required. Furthermore, our identification schemes are robust to both noisy quantum channels and 
imperfect quantum sources. Our schemes can therefore be implemented in practice using existing 
technology. 

The first scheme is secure against dishonest users and servers but not against a man-in-the- 
middle attack. It allows the common secret-key w to be non-uniform and of low entropy, like a 
human- memorizable password. Only a user knowing w can succeed in convincing the server. In any 
execution of this scheme, a dishonest user or server cannot learn more on w than excluding one 
possibility, which is unavoidable. This is sometimes referred to as password-based identification. The 
second scheme requires in addition to w a uniformly distributed high-entropy common secret-key 
k, but is additionally secure against a man-in-the-middle attack. Furthermore, security against a 
dishonest user or server holds as for the first scheme even if the dishonest party knows k (but 
not w). This implies that k can for instance be stored on a smart card, and security of the scheme 
is still guaranteed even if the smart card gets stolen, assuming that the affected party notices the 
theft and thus does not engage in the scheme anymore. Both schemes compose sequentially, and w 
(and k) may be safely re-used super-polynomially many times, even if the identification fails (due 
to an attack, or due to a technical failure). 

A small modification of the second identification scheme results in a quantum-key-distribution 
(QKD) scheme secure against bounded-quantum-memory adversaries. The advantage of the pro- 
posed new QKD scheme is that no authenticated channel is needed and the attacker can not force 
the parties to run out of authentication keys. The honest parties merely need to share a password 
w and a high-entropy secret-key k, which they can safely re-use (super-polynomially many times), 
independent of whether QKD succeeds or fails. Furthermore, like for the identification scheme, 
losing k does not compromise security as long as the loss is noticed by the corresponding party. 
One may think of this as a quantum version of password-based authenticated key exchange. The 
properties of our solution are in sharp contrast to all known QKD schemes without authenticated 
channels (which do not pose any restrictions on the attacker). In these schemes, an attacker can 
force parties to run out of authentication keys by making the QKD execution fail (e.g. by blocking 
some messages). Worse, even if the QKD execution fails only due to technical problems, the parties 
can still run out of authentication keys after a short while, since they cannot exclude that an eaves- 
dropper was in fact present. This problem is an important draw back of QKD implementations, 
especially of those susceptible to sing le (or few) point(s) of failure [EPT03j |. 



Other Approaches. We briefly discuss how our identification schemes compare with other 
approaches. We have already given some indication on how to construct computationally secure 
identification schemes. This approach typically allows for very practical schemes, but requires 
some unproven complexity assumption. Another interesting difference between the two approaches: 
whereas for (known) computationally-secure password-based identification schemes the underlying 
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computational hardness assumption needs to hold indefinitely, the restriction on the attacker's 
quantum memory in our approach only needs to hold during the execution of the identification 
scheme, actually only at one single point during the execution. In other words, having a super- 
quantum-storage-device at home in the basement only helps you cheat at the ATM if you can 
communicate with it on-line quantumly - in contrast to a computational solution, where an off-line 
super-computer in the basement can make a crucial difference. 

Furthermore, obtaining a satisfactory identification scheme requires so me re striction on the 



adversary, even in the quantum setting: considering only passive attacks, Lo [Lo971 ] showed that for 
an unrestricted adversary, no password-based quantum identification scheme exists. In fact, Lo's 
impossibility result only applies if the user U is guaranteed not to learn anything about the outcome 
of the identification procedure. We can argue, however, that a different impossibility result holds 
even without Lo's restriction: We first show that secure computation of a classical and gate (in 
which both players learn the output) can be reduced to a password-based identification scheme. 
The reduction works as follows. Let wo, w' Q and w\ be three distinct elements from W. If Alice has 
private input xa = then she sets wa = wo and if xa = 1 then she sets wa = w\, and if Bob 
has private input xb = then he sets wb = w'q and if ig = 1 then he sets wb = w\. Then, Alice 
and Bob run the identification scheme on inputs wa and wb, and if the identification is rejected, 
the output is set to while if it is accepted, the output is set to 1. Security of the identification 
scheme is easily seen to imply security of the and computation. Now, the secure computation of an 
AND gate — with statistical security and using quantum communicat ion — can be shown to require 



a super polynomial number of rounds if the adversary is unbounded NPS07] . Therefore, the sam e 



must hold for a secure pas sword- based identification scheme. 1 . In fact, in very recent work BCS09] 



using the definitions from FS09], it is shown that the whole password of the honest player leaks to 
the dishonest player. 



Another alternative approach is the classical bounded-storage model |Mau9(l IcCMflfiL IaDE 02] 



In contrast to our approach, only classical communication is used, and it is assumed that the 
attacker's classical memory is bounded. Unlike in the quantum case where we do not need to 
require the honest players to have any quantum memory, the classical bounded-storage model 
requires honest parties to have a certain amount of memory which is related to the allowed memory 
size of the adversary: if two legitimate users need n bits of memory in an identification protocol 
meeting our security criterion, then an adversary must be bounded in memory to 0(n 2 ) bits. The 
reason is that given a secure password-based identification scheme, one can construct (in a black- 
box manner) a key-distribution scheme that produces a one-bit key on which the adversary has an 
(average) entropy of On the other hand it is known that in any key-distribution scheme which 
requires n bits of memory for legitimate players, an adversary w ith mem ory Q(n 2 ) can obtain the 



key except for an arbitrarily small amount of remaining entropy [DM041 ] . It follows that password- 
based identification schemes in the classical bounded-storage model can only be secure against 
adversaries with memory at most 0(n 2 ). This holds even for identification schemes with only 
passive security and without security against man- in-the- middle attacks. Roughly, the reduction 
works as follows. Alice and Bob agree on a public set of two keys {wo, wi}. Alice picks a Gr {0, 1}, 
Bob picks b £r {0,1}, and they run the identification scheme with keys w a and Wb respectively. 



In fact, we believe that the proof from [NPS07I ] can be extended to cover secure computation of equality of strings, 
which is equivalent to password-based identification. This would mean that we could prove the impossibility result 
directly, without the detour via a secure AND computation. 
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The outcome of the identification is then made public from which Bob determines a. We argue that 
if the identification fails, i.e. a ^ b, then a is a secure bit. Thus, on average, a has entropy (close to) 
\ from an eavesdropper's point of view. Consider w' {wq,wi}. By the security property of the 
identification scheme, Alice and thus also a passive eavesdropper Eve cannot distinguish between 
Bob having used Wf, or w' . Similarly, we can then switch Alice's key w a to w\- a and Bob's switched 
key w' to wi-f, without changing Eve's view. Thus, Eve cannot distinguish an execution with a = 
from one with a = 1 if a ^ b. 

This limitation of the classical bounded-storage model is in sharp contrast with what we achieve 
in this paper, the honest players need no quantum memory at all while our identification scheme 
remains secure against adversaries with quantum memory linear in the total number of qu bits sent . 
The sam e separation between the two models was shown for OT and bit commitment |PFSS05 . 
DFR+07 1- 

Finally, if one settles for the bounded-quantum-storage model, then in principle one could take a 
generic construction for ge neral two-party sec ure-function-evaluation (SFE) based on OT together 
with the OT scheme from |PFSS05 . DFR + 07 ] in order to implement a SFE for string equality and 
thus password-based identification. However, this approach leads to a highly impractical solution, as 
the generic construction requires ma ny executions of OT , whereas our solution is comparable with 
one execution of the OT scheme from DFSS05l . lDFR + 07| ]. Furthermore, SFE does not automatically 
take care of a man-in-the-middle attack, thus additional work would need to be done using this 
approach. 

Subsequent Work. The difficulty of storing quantum information can also be modeled differently 
from assuming a bound on the physical number of q ubits an adversary can control. In the more 
realistic noisy-quantum-storage model put forward in WST08], all incoming qubits can be stored 
by an adversary but are subject to storage noise. Assu ming a sim ple storage strategy, one can show 
that the protocols in the current paper remain secure iSTWOaj. wh ereas it is unknown if security 
still holds in case of more sophisticated storage strategies KWW09I ] . 

If the storage limitation on the adversary fails to hold, it is easy to see that not only will our 
security proofs fail, but in fact th e protocol we propose can be broken quite efficiently. However, it 
was recently shown, in DFL + 09l |. how to add a "preamble" to the pr otocol using a commitment 
scheme based on a computational assumption. It is shown in [dfl + oh| | that to break the resulting 
protocol, an adversary must have both large quantum memory and large computing power. 



2 Preliminaries 



2.1 Notation and Terminology 



Quantum States. We ass ume th e reader's familiarity with basic notation and concepts of quan- 
tum information processing |nC00[ |. In this paper, the computational or + -basis is defined by the 
pair {|0), |1)} (also written as {|0) + , |1) + }). The pair {|0) x , |l) x } denotes the diagonal or x-basis, 
where |0) x = (|0) + \l))/y/2 and |l) x = (|0> - |l))/\/2. We write \x) e = \x x ) 6i ® • • • <g> \x n ) 6n for the 
n-qubit state where string x = {x\, . . . , x n ) £ {0, 1}™ is encoded in bases 6 = (Oi, . . . , 9 n ) G {+, x } n . 

The behavior of a (mixed) quantum state in a register E is fully described by its density 
matrix pg. In order to simplify language, we tend to be a bit sloppy and use E as well as pe as 
"naming" for the quantum state. We often consider cases where a quantum state E may depend on 
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some classical random variable X (from a finite set X) in that the state is described by the density 
matrix p E if and only if X = x. For an observer who has only access to the state E but not to X, 
the behavior of the state is determined by the density matrix p E '■= Px(x)p E , whereas the joint 
state, consisting of the classical X and the quantum state E, is described by the density matrix 
Pxe'-= Ylx p x(x)\x}(x\ ® p E , where we understand {|x)} xe ^ to be the standard (orthonormal) 
basis of C' X K More general, for any event £ (defined by Pz\x{x) = P[£\X = x\ for all x), we write 

Pxe\s ■= P X\s(x)\x)(x\ <g> p% and p E \ £ := tr x (pxE\s) = Y P x\e{x)p x E ■ (!) 

X X 

We also write px '■= Y2x Px{x)\x){x\ for the quantum representation of the classical random variable 
X (and similarly for px\s)- This notation extends naturally to quantum states that depend on 
several classical random variables, defining the density matrices pxye, Pxye\s, Pye\x=x e ^ c - We 
tend to slightly abuse notation and write p YE = Pye\x=x an d Pye\£ = Pye\x=x,£, as weu as Pe = 
iT Y{p Y E) and P%\e = tr WPy£|£-)- 2 Note that writing p X E = ^y{pxye) and p E = ^ x .y{pxye) is 
consistent with the above notation. We also write Pxe\s = try (pxye\e) an d Pe\£ = trx,y (pxye\e), 
where one has to be aware that in contrast to (pQ), here the state E may depend on the event £ 
(namely via Y), so that, e.g., p E \e = Ylx p x\s( x )Pe\£- Given a quantum state E that depends on 
a classical random variable X, by saying that there exists a random variable Y such that pxye 
satisfies some condition, we mean that pxE can be understood as pxE = ^y{pxye) for some pxye 
(with classical Y) and that pxye satisfies the required condition. 3 

X is independent of E (in that p x E does not depend on x) if and only if pxE = Px <8> Pe, which 
in particular implies that no information on X can be learned by observing only E. Similarly, X is 
random and independent of E if and only if pxE = y^yl ® PE, where j^jl is the density matrix of 
the fully mixed state of suitable dimension. Finally, if two states like pxe an d Px ® Pe ar e e-close 
in terms of their trace distance S(p,a) = ^tv(\p — a\), which we write as pxE ~e Px ® Pe, then 
the real system pxE "behaves" as the ideal system px <8> Pe except with probability e in that for 
any evolution o f the sy stem no observer can distinguish the real from the ideal one with advantage 



greater than e RK05I ]. As £ can be interpreted as an error probability, we typically require e to 
be negligible in a security parameter n, denoted as e = negl{n). A security parameter is a natural 
number n given as input to all players in our protocols, and a probability is said to be negligible in 
n if for any polynomial p, it is smaller than l/p(n) for all sufficiently large n. 

Conditional Independence. We also need to express that a random variable X is (close to) 
independent of a quantum state E when given a random variable Y. This means that when given Y, 
the state E gives no (or little) additional information on X. Formally, this is expressed by requiring 
that pxye equals (or is close to) px^Y^E, which is defined as 

Px^y^e ■= ^2Pxy(x,y)\x)(x\ \y)(y\ 8) p\. 



The density matrix p%\ £ describes the quantum state E in the case that the event £ occurs and X takes on the 
value x. The corresponding holds for the other density matrices considered here. 

3 This is similar to the case of distributions of classical random variables where given X the existence of a certain 
Y is understood that there exists a certain joint distribution Pxy with ^2 Pxy(-,v) = Px- 

4 The notation is inspired by the classical setting where the corresponding independence of X and Z given Y can 
be expressed by saying that X «-> Y <-» Z forms a Markov chain. 
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In other words, pxye = Px*-*y*-*e precisely if p x ^ y = p y E for all x and y. To further illustrate its 
meaning, notice that if the ^-register is measured and value y is obtained, then the state px^Y^E 
collapses to (%2 X Px\y ( x \y)\ x )i x \) ® p\i so that indeed no further information on x can be obtained 
from the I?-register. This notation naturally extends to Px^Y^E\e simply by considering Pxye\s 
instead of p X YE- Explicitly, p x ^ Y ^E\£ = H x , y PxY\s( x ,y)\ x )( x \ ® \y )(y\ g pL - 



The notion of conditional i ndepen dence has been introduced in [DFSS07I ] (a classical version 



was ind ependently proposed in [CW08I ]) and used as a convenient tool in subsequent papers FS09I . 



BCS09j In this paper we will use the following property of conditional independence whose proof 



is given in Appendix lA.li 
Lemma 2.1. For any event £ , the density matrix px^Y*-*E can be decomposed into 

Px~y~e = P[£} 2 • Px~Y~E\e + (1 - P[£?) • r 
for some density matrix r. Furthermore, if £ is independent of X and Y , then 

PX^Y^E = P[£] ■ Px~Y~E\£ + P[£] • Px~Y^E\B ■ 



(Conditional) Smooth Min-Entropy. Different notions of conditional (smooth) min-entropy 
have been proposed in the literature; we briefly specify here the variant that is convenient for us. 
Let X and Y be random variables, over respective finite alphabets X and y, with joint distribution 
P X Y ■ The conditional min-entropy of X given Y is defined as the negative logarithm of the guessing 
probability of X given Y: H min (X\Y) := - log(p guess (X\Y)) where 

P S ucss{X\Y) := ^Py(y)maxP X |y(x|y) = ^maxPjfy(x,?/) 

v y 

and log denotes the binary logarithm (here and throughout the paper). More generally, we define 
H min (X£\Y) for any event £ as H min (X£\Y) := - log ( Pgncss (X£\Y)) where 5 

Pguess 

(X£\Y) :=Y,PY(y)™xP X£lY (x\y) = £ max P X Ys(x,y) . 
v y 

The conditional smooth min-entropy H^ in (X\Y) is then defined as 

H £ min (X\Y) :=maxH min (X£\Y) 

where the max is over all events £ with P[£] > 1 — e. 

Obviously, the unconditional versions of smooth and non-smooth min-entropy are obtained 
by using an "empty" Y; furthermore the above notions extend naturally to H min (X\Y,£) and 
H^ n (X\Y, £) for any event £ by considering the corresponding conditional joint distribution Pxy\£- 

5 Pguess(X£\Y) can be understood as the optimal probability in guessing X and have £ occur, when given Y. 
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2.2 Tools 



Min-Entropy-Splitting . A technical tool, which will come in handy, is the following entropy- 
splitting lemma, which may also be of independent interest. Informally, it says that if for a list 
of random variables, every pair has high (smooth) min-entropy, then all of the random variables 
except one must have high (smooth) min-entropy. The proof is given in Appendix IA.21 

Lemma 2.2 (Entropy-Splitting Lemma). Let e > 0. Let X\, . . . ,X m and Z be random vari- 
ables such that H^^XiXjlZ) > a for all i ^ j. Then there exists a random variable V over 
{1, . . . , m} such that for any independent random variable W over {1, . . . , m} with H min (W) > 1, 

H%Z(X W \VWZ,V^W) > a/2 - log(m) - 1 . 
Quantum Uncertainty Relation. At the very core of our security proofs lies (a special case of) 



the quantum uncertainty relation from DFR + 07J ] 6 . that lower bounds the (smooth) min-entropy 



of the outcome when measuring an arbitrary n-qubit state in a random basis 9 6 {0, l} n . 

Theorem 2.3 (Uncertainty Relation |dFR + 07| ]). Let E be an arbitrary fixed n-qubit state. 
Let be uniformly distributed over {+, x} n (independent of E), and let X S {0, l} n be the random 
variable for the outcome of measuring E in basis 0. Then, for any A > 0, the conditional smooth 
min-entropy is lower bounded by 

H^{X\0)>(^-2\)n 
wtih e < 2-*W» and a(X) = M( l%$y. ■ 

Thus, ignoring negligibly small "error probabilities" and linear fractions that can be chosen ar- 
bitrarily small, the outcome of measuring any n-qubit state in a random basis has n/2 bits of 
min-entropy, given the basis. 

Privacy A mplifi cation . Finally, we recall the quantum-privacy-ampl ificatio n theorem of Renner 
and Konig jBKOSi ]. The version we use here follo ws imm ediately from [Ren05l . Corollary 5.6.1] by 



applying the chain r ule for min- and max-entropy Ren05l . Lemma 3.2.9] and using the equivalence 



as shown in [KRS08J ] , of the quantum and the classical notion of (smooth) conditional min-entropy. 
Recall that a class J- of hash functions from X to 3^ is called (strongly) universal-2 if for any 
x ^ x' £ X, and for F uniformly distributed over IF, the collision probability P[F(x) = F{x')\ is 
upper bounded by 1/|3^|, respectively, for the strong notion, the random variables F{x) and F(x') 
are uniformly and independently distributed over y. 

Theorem 2.4. Let X and Z be random variables distributed over X and Z, respectively, and let 
E be a q-qubit state that may depend on X and Z . Let F be the random and independent choice of 
a member of a universal-2 class of hash functions F from X into {0, 1} . Then, for any e > 

5{pf{x)fze,^® Pfze) < 1 2-H^in(^)-^) +2 e. 



6 In [DFR+071 ]. a stricter notion of conditional smooth min-entropy was used, which in particular implies the bound 
as stated here. 
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3 The Identification Scheme 



3.1 The Setting 

We assume that the honest user U and the honest server S share some key w £ W (which we think 
of as a password), where the choice of w is described by the random variable W. An identification 
protocol is now simply any protocol for U and S using classical and/or quantum communication 
where the parties are both given as input a security parameter n and (in the honest case) the 
password w, and where S outputs accept or reject in the end. 

We do not require W to be very large (i.e. |W| does not have to be lower bounded by the 
security parameter in any way), and w does not necessarily have to be uniformly distributed in W. 
So, we may think of w as a human-memorizable password or PIN code. The goal of this section is to 
construct an identification scheme that allows U to "prove" to S that he knows w. The scheme should 
have the following security properties: a dishonest server S* learns essentially no information on w 
beyond that he can come up with a guess w' for w and learns whether w' = w or not, and similarly 
a dishonest user succeeds in convincing the verifier essentially only if he guesses w correctly, and if 
his guess is incorrect then the only thing he learns is that his guess is incorrect. This in particular 
implies that as long as the entropy of W is large enough, the identification scheme may be safely 
repeated. Finally, it must of course be the case that S accepts the legitimate user who has the 
correct password. More formally, we require the following: 

Definition 3.1. An execution by honest U,S on input w for both parties results in S accepting, 
except with negligible probability (as a function of n). 

Definition 3.2. We say that an identification protocol for two parties U,S is secure for the user 
with error e against (dishonest) server S* if the following is satisfied: whenever the initial state of 
S* is independent of W , the joint state pwe s * after the execution of the protocol is such that there 
exists a random variable W that is independent of W and such that 

PWW'E 5 «\W'^W ~e PW^W'^E S *\W'^W- 

Definition 3.3. We say that an identification protocol for two parties U,S is secure for the server 
with error e against (dishonest) user U* if the following is satisfied: whenever the initial state of 
a dishonest user U* is independent of W , there exists W' (possibly J_), independent of W , such 
that if W ^ W' then S accepts with probability at most e, and if W = W' then S accepts with 
certainty. Furthermore, the common state pwe u * after the execution of the protocol (including S's 
announcement to accept or reject) satisfies 

PWW'E U *\W'^W ~e PW^W'^E U *\W'^W ■ 

If these definitions are satisfied for a small e, we are guaranteed that whatever a dishonest 
party does is essentially as good as trying to guess W by some arbitrary (but independent) W' 
and learning whether the guess was correct or not, but nothing beyond that. Such a property is 
obviously the best one can hope for, since an attacker may always honestly execute the protocol 
with a guess for W and observe whether the protocol was successful. 

We would like to point out that the above security definitions, and in fact any security claim in 
this paper, guarantees sequential self-composability, as the output state is guaranteed to have the 
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same independency property (for any fixed choice of W) as is r equire d from the input state (except 
if the attacker guesses W). Moreove r, it is shown in |FS08aL lFS0flj | that our definitions imply a 
"real/ideal" world definition given in |FS09t More specifically, it is shown that a protocol satisfying 
our information theoretic condit ions im plements a natural ideal identification functionality, and by 
the composition theorem from FS09J, this means that the protocol composes sequentially in a 
classical environment, i.e. the quantum protocol can be treated as the ideal functionality when 
analyzing a more complicated classical outer protocol. 

It should be noted that security for user and server is usually not sufficient for application in 
practice of an identification protocol. A problem occurs if the honest user and server are interacting 
and an attacker can manipulate the communication, i.e., do a "man-in-the-middle" attack, and 
observe the reaction of the honest parties. This scenario is not covered by the above definitions, 
and indeed it turns out that the simplest version of our protocol is not secure against such an 
attack. Nevertheless, the problem can be solved and we address it in Section [H 



3.2 The Intuition 



The scheme we propose is related to the (randomized) 1-2 OT scheme of DFR + 07 |. In that scheme, 
Alice sends \x) e to Bob, for random x E {0, l} n and 9 £ {+, x} n . Bob then measures everything 
in basis + or x , depending on his choice bit c, so that he essentially knows half of x (where Alice 
used the same basis as Bob) and has no information on the other half (where Alice used the other 
basis), though, at this point, he does not know yet which bits he knows and which ones he does 
not. Then, Alice sends 6 and two hash functions to Bob, and outputs the hash values sq and s\ 
of the two parts of x, whereas Bob o utputs the hash value s c that he is able to compute from 
the part of x he knows. It is proven in [DFR + 07| that no dishonest Alice can learn c, and for any 
quantum-memory-bounded dishonest Bob, at least one of the two strings sq and si is random for 
Bob. 

This scheme can be extended by giving Bob more options for measuring the quantum state. 
Instead of measuring all qubits in the + or the x basis, he may measure using m different strings 
of bases, where any two possible basis-strings have large Hamming distance. Then Alice computes 
and outputs m hash values, one for each possible basis-string that Bob might have used. She reveals 
6 and the hash functions to Bob, so he can compute the hash value corresponding to the basis that 
he has used, and no other hash value. Intuitively, such an extended scheme leads to a randomized 
1-m OT. 

The scheme can now be transformed into a secure identification scheme as follows, where we 
assume (wlog) that W = {1, . . . , m}. The user U, acting as Alice, and the server S, acting as Bob, 
execute the randomized 1-m OT scheme where S "asks" for the string indexed by his key w, such 
that U obtains random strings s±, . . . ,s m and S obtains s w . Then, to do the actual identification, 
U sends s w to S, who accepts if and only if it coincides with his string s w . Intuitively, such a 
construction is secure against a dishonest server since unless he asks for the right string (by guessing 
w correctly) the string U sends him is random and thus gives no information on w. On the other 
hand, a dishonest user does not know which of the m strings S asked for and wants to see from 
him. We realize this intuitive idea in the next section. In the actual protocol, U does not have to 
explicitly compute all the s^'s, and also we only need a single hash function (to compute s w ). We 
also take care of some subtleties, for instance that the Sj are not necessarily random if Alice (i.e. 
the user) is dishonest. 
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3.3 The Basic Scheme 



Let c : W —* {+, x } n be the encoding function of a binary code of length n with m = |W| codewords 
and minimal distance d. c can be chosen such that n is linear in log(m) or larger, and d is linear in re. 
Furthermore, let T and Q be strongly universal-2 classes of hash functions 7 from {0, l} n to {0, 1} 
and from W to {0, 1} , respectively, for some parameter L For x E {0, 1}™ and I C {1, . . . , n}, we 
define x|j E {0, l} n to be the restriction of x to the coordinates Xi with i E /. If |/| < n then 
applying f E J- to x\i is to be understood as applying / to x\i padded with sufficiently many 0's. 



Q-ID: 




1. U picks x £r {0, l} n and £r {+, x} n , and sends state \x) e 


to S. 


2. S measures \x) g in basis c = :(w). Let a;' be the outcome. 




3. U picks / G_r T and sends and / to S. Both compute I w := 


{i : 6i = c(w)i}. 


4. S picks g £r Q and sends g to U. 




5. U computes and sends 2 := f(x\i w ) © ff(ui) to S. 




6. S accepts if and only if z = z' where z' := }{x'\i w ) © g(w). 





It is trivial that the protocol satisfies Definition 13.11 In addition, we have: 

Proposition 3.4 (User security). Assume that the size of the quantum memory of dishonest 
server S* is at most q at step [3 of Q-ID, and that H min (W) > 1. Then Q-ID is secure for the user 
with error e against S* according to Definition \3.2l where 

e = 2-!((3- A ) d - lo gM-<?-^-i) + 2 -0(A)d-log(m)-3) 
for an arbitrary < A < \. 

Note that <r(A) was defined earlier in the claim of the uncertainty relation. To understand what the 
result on e means, note that using a family of asymptotically good codes, we can assume that d grows 
linearly with the main security parameter re, while still allowing m (the number of passwords) to be 
exponential in n. So we may choose the parameters such that — , log ( m ) ; 3. anc [ L are a \\ constants. 
The result above now says that e is exponentially small as a function of n if these constants are 
chosen in such a way that for some < A < 4, it holds that (4 — A)- — log ("v — 3. _ 1 > q and 

cr(A)^ — log ^" 1 ^ > 0. See Theorem 13.61 for a choice of parameters that also take server security into 

account. If we are willing to assume that log(rre) is sublinear in n, which may be quite reasonable 

is case we use short passwords that humans can remember, the condition further simplifies to 
d _ l _ 1 > 

An n n 

Proof. We consider and analyze a purified version of Q-ID where in stepHJ instead of sending \x) g 
to S* for a random x, U prepares a fully entangled state 2 -n / 2 Y^ x \ x )\ x ) an d sends the second 
register to S* while keeping the first. Then, in step [3] when the memory bound has applied, he 
measures his register in the random basis 9 E_r {+, x} n in order to obtain x. Standard arguments 
imply that this purified version produces exactly the same common state, consisting of the classical 
information on U's side and S*'s quantum state. 

7 Actually, we only need Q to be strongly universal-2. 
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Recall that before step [3] is executed, the memory bound applies to S*, meaning that S* has to 
measure all but q of the qubits he holds, which consists of his initial state and his part of the EPR 
pairs. Before doing the measurement, he may append an ancilla register and apply an arbitrary 
unitary transform. As a result of S*'s measurement, S* gets some outcome y, and the common state 
collapses to a (n + q)-qubit state (which depends on y), where the first n qubits are with U and the 
remaining q with S*. The following analysis is for a fixed y, and works no matter what y is. 

We use upper case letters W, X, 0, F, G and Z for the random variables that describe the 
respective values w, x, 9 etc. in an execution of the purified version of Q-ID. We write Xj = X\i j 
for any j, and we let E'^ be S*'s g-qubit state at step El after the memory bound has applied. Note 
that W is independent of X, 0, F, G and E' St . 

For 1 < i ^ j < m, fix the value of X, and correspondingly of Xi and Xj, at the positions 
where c(i) and c(J) coincide, and focus on the remaining (at least) d positions. The uncertainty 
relation (Theorem I2.3f) implies that the restriction of X to these positions has (| — 2X)d bits 
of e'-smooth min-entropy given 0, where e' < 2~ CT (^ d and < A < \ arbitrary. Since every 
bit in the restricted X appears in one of Xi and Xj, the pair X; L ,Xj also has (| — 2X)d bits of 
e'-smooth min-entropy given 0. The Entropy Splitting Lemma 12.21 implies that there exists W' 
(called V in Lemma [272]) such that if W ^ W then Xw has (\ — X)d — log(m) — 1 bits of 2me'- 
smooth min-entropy given W and W' (and 0). Privacy amplification then guarantees that F(X\y) 
is e"-close to random and independent of F,W,W ,0 and E'^, conditioned on W ^ W, where 
e" = 1 . 2 -W/i~\d-\o Z {m)~i- q -i) + 4m£ /_ It follows that Z = F(X W )®G{W) is enclose to random 

and independent of F, G, W, W , and £"5, , conditioned on W / W. 

Formally, we want to upper bound 5{pwwi e \w'^Wi Pw^W'^e s * \w^w)- Since the output state 
E$* is, without loss of generality, obtained by applying some unitary transform to the set of registers 
(Z, F, G, W , 0, E' s , ), the distance above is equal to the distance between Pww(z,F,G,0,E' st )\W'jtw 
and Pw^W><->(Z,F,G,0,E' s *)\W>^W- We then get: 

PWW'(Z,F,G,e,E^)\W'^W 2^ ® PWW'{F,G,0,E' s *)\W'^W 

= ^-I® PW<-*W r <->(F,G,e,E' s *)\W r iiW ~e" PW<r*W'->r+(Z,F,G,e,E' s *)\W'^W 1 

where approximations follow from privacy amplification and the exact equality comes from the 
independency of W , which, when conditioned on W 7^ W, translates to independency given W' . 
The claim follows with e = 2e" . □ 

Proposition 3.5 (Server security). If H min (W) > 1, then Q-ID is secure for the server with 
error e against any U* according to Definition \3.3[ where e = m 2 /2 . 

The formal proof is given below. The idea is the following. We let U* execute Q-ID with a server 
that is unbounded in quantum memory. Such a server can obviously obtain x and thus compute 
Sj = f{x\i j ) © g{j) for all j. Note that s w is the message z that U* is required to send in the 
last step. Now, if the Sj's are all distinct, then z uniquely defines w' such that z = s w /, and thus 
S accepts if and only if w' = w, and U* does not learn anything beyond. The strong universal-2 
property of g guarantees that the s^-'s are all distinct except with probability m 2 /2 e . 

Proof. Again, we consider a slightly modified version. We let U* interact with a server that has 
unbounded quantum memory and does the following. Instead of measuring Ix)^ in step [2] in basis 
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c, it stores the state and measures it after step [3] in basis 9 (and obtains x). This modified version 
produces the same common state pwe u » as the original scheme, since the only difference between 
the two is when and in what basis the qubits at positions % ^ I w are measured, which does not 
effect the execution in any way. 

We use the upper case letters W, X, 6>, F, G and Z for the random variables that describe 
the respective values w, x, 9 etc. in an execution of the modified version of Q-ID. Furthermore, we 
define Sj := F(X\j.) © G(j) for j = 1, ... ,m. Note that Z' = Sw represents the value z' used by 
S in the last step. Let £ be the event that all Sj's are distinct. By the strong universal-2 property, 
and since G is independent of X and F, the Sj's are pairwise independent and thus it follows from 
the union bound that £ occurs except with probability at most m(m — l)/2 • 1/2^ < m 2 /2 +1 . 

Let E(j* be U*'s quantum state after the execution of Q-ID but before he learns S's decision to 
accept or reject. We may assume that the values of all random variables X, 0, F, G, Z and the 
S^'s are known/given to U*, i.e., we consider them as part of E'^,. Furthermore, we may assume 
that Z is one of the Sj's, i.e. that Z = Sw for a random variable W. Indeed, if Z ^ Sj for all j 
then we set W' :=_L and S's decision is "reject", no matter what W is, and U* obviously learns no 
information on W at all. By the way we have defined W, is clear that S accepts if W = W. 

Note that E'^, is independent of W by assumption on U*'s initial state (in Definition I3.3|) and 
by definition of the random variables X, etc. Since £ is determined by the Sj's (which are part 
of E[j f ), this holds also when conditioning on £. This then translates to the independence of E 1 ^ 
from W when given W', conditioned on W' ^ W and £. 

We now consider U*'s state Ey* after he has learned S's decision. If W' ^ W and all Sj's are 
distinct then S rejects with probability 1. Hence, conditioned on the events W' ^ W and £, U*'s 
state E\j* remains independent of W given W' . Define p := P[£\W j^W] and p := P[£\W j^W] 
= 1 — p, where £ is the complementary event to £ . Recall that P[£] < m 2 /2 i+1 , and therefore 
P < P[£]/(l — P[W = W]) < 2P[£] < m 2 /2 e , where the second- last inequality follows from the 
independence of W and W', and from the condition on H m - m (W)- Note that p upper bounds the 
probability that S accepts in case W ^ W, proving the first claim. From the above it follows that 

PWW'E U * \W+W = V ' PWW'E U * \S,W'^W + P ' Pw W'E U , \£,W'^W 

= V • Pw*-*w^e u * \eyv>+w + P ■ Pwwe u * \s,w^w ■ 

Furthermore, it is not too hard to see that £ is independent of W and W, and thus also when 
conditioned on W' ^ W. Lemma 12.11 hence implies that 

PW^W'^E V * \W+W = P ' PW^W'^E U * \SyV'+W + P • Pw^W'^E u * \e,w^w ■ 

By definition of the metric 5(-, •), and because it cannot be bigger than 1, the distance between the 
two states is at most p < m? /2 i . □ 

We call an identification scheme e-secure against impersonation attacks if the protocol is secure 
for the user and secure for the sender with error at most e in both cases. The following holds: 

Theorem 3.6. If H min (W) > 1, then the identification scheme Q-ID (with suitable choice of pa- 
rameters) is e-secure against impersonation attacks for any unbounded user and for any server with 
quantum memory bound q, where 

£ — 2-;j((3- A ) n M-31og(m)-(jr-2) _|_ 2-(<r(A)n/Lt-log(m)-4) 
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for an arbitrary < A < \, and where \i = h~ l (l — log(m)/n), and h~ x is the inverse function of 
the binary entropy function: h(p) ■= —p ■ log(p) — (1 — p) ■ log(l — p) restricted to < p < ^. In 
particular, i/log(m) is sublinear in n, then e is negligible in n — 8q. 

Proof We choose I = |((| - X)d + 31og(m) -q-l). Then user security holds except with an 
error e = 2-§((3~ A ) d - 31o s( m )-9-i) + 2 -(<x(A)d-2 in(m)-3) ^ and server security holds except with an 
error m 2 /2 e = 2~ 3^4~ A ) rf ~ 31 °s( m )~ l ?~ 1 ), Using a code c, which asymptotically meets the Gilbert- 
Varshamov bound Tho83| , d may be chosen arbitrarily close to n ■ h~ l (l — log(m) /n) . In particular, 



we can ensure that d differs from this value by at most 1. Inserting d = n • h x (l — log(m)/n) — 1 
in the expression for user security yields the theorem. □ 



3.4 Mutual Identification 

In order to obtain mutual identification, where also the server identifies himself towards the user, 
one could of course simply run Q-ID in both directions: say, first U identifies himself to S, and 
then S identifies himself to U (by exchanging their roles in Q-ID). However, this scheme allows the 
dishonest server to exclude two possible keys w 6 W per invocation, and it requires to also assume 
the user's quantum memory to be bounded, and has doubled complexity. 

We briefly sketch an approach that circumvents these drawbacks of the trivial solution: In the 
original Q-ID scheme, instead of announcing z = f(x\j w ) © g(w), U announces a noisy version z, 
obtained from z by flipping each bit of z independently with some small probability; this still allows 
S to verify if U knows w by testing if z is "close" to z' , and S has then to prove knowledge of w by 
announcing to U the positions where U flipped the bits. 

Security against a dishonest user still holds (with a slightly larger error probability) since the 
uniformity of the Sj's, as defined in the proof, also guarantees that the Sj's are pair-wise "far 
apart" so that W is still uniquely determined by Z. And security against a dishonest server follows 
from the fact that if W' ^ W then Z is (essentially) uniformly distributed and thus given its noisy 
version Z the server can at best guess the positions of the bit-flips, which are independent of W. 



3.5 An Error-tolerant Scheme 

We now consider an imperfect quantum channel with "error rate" <j). The scheme Q-ID is sensitive 
to such errors in that they cause x\i w and x'\i w to be different and thus an honest server S is likely 
to reject an honest user U. This problem can be overcome by means of error-correcting techniques: 
U chooses a linear error-correcting code that allows to correct a (^-fraction of errors, and then in 
step[2j in addition to 9 and /, U sends a description of the code and the syndrome s of x\i w to S; this 
additional information allows S to recover x\j w from its noisy version x'\j w by standard techniques. 
However, this technique introduces a new problem: the syndrome s of x\j w may give information 
on w to a dishonest server. Hence, to circumvent this problem, the code chosen by U must have the 
additional property that for a dishonest user, who has high min-entropy on x\j w , the syndrome s 
is (close to) independent of w. 



This problem has been addressed and so lved in the classical setting by Dodis and Smith [DS05I ] 



and subsequently in the quantum setting in |FS08bl j. Dodis and Smith present a family of efficiently 



decodable linear codes allowing to correct a constant fraction of errors, and where the syndrome 
of a string is close to uniform if the string has enough min-entropy and the code is chosen at 
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random from the family. Specifically, Lemma 5 of DS05| guarantees that fo r every < A < 1 and 
for an infinite number of n''s there exists a S-biased (as defined in [DSqH]) family C = {Cj}jf=j 
of [re', k', c£']2-codes with 5 < 2~ Xn / 2 , and w hich allows to efficiently correct a con stant fraction of 
errors. Furthermore, Theorem 3.2 of FS08b| ] (which generalizes Lemma 4 in DS05 ] to the quantum 



setting) guarantees that if a string Y has t bits of min-entropy 8 then for a randomly chosen code 
Cj £ C, the syndrome of Y is close to random and independent of j and any g-qubit state that may 
depend on Y, where the closeness is given by £.2( n '+9-*)/ 2 . In our application, Y = Xw, n' « re/2 
and t ~ d/A — log(m) — £, where the additional loss of £ bits of entropy comes from learning the 
^-bit string z. Choosing A = 1 — 7^7 gives an ensemble of code families that allow to correct a 
linear number of errors and the syndrome is e-close to uniform given the quantum state, where 
e < 2~ n ' V 2 +*/ 4 • 2( ra '+9- i )/ 2 _ 2-(*- 2 9)/4 5 -which i s exponentially small provided that there is a linear 
gap between t and 2q. Thus, the syndrome gives essentially no additional information. The error 
rate <\> that can be tolerated this way depends in a rather complicated way on A, but choosing A 
larger, for instance A = 1 — for a constant v > 0, allows to tolerate a higher error rate but 
requires q to be a smaller (but still constant) fraction of t. 

Another imperfection has to be taken into account in current implementations of the quantum 
channel: imperfect sources. An imperfect source transmits more than one qubit in the same state 
with probability r] independently each time a new transmission takes place. To deal with imperfect 
sources, we freely give away (xi,8i) to the adversary when a multi-qubit transmission occurs in 
position i. It is not difficult to see that parameter e in Proposition 13.41 then changes in that d is 
replaced by (1 — rj)d. 

It follows that a quantum channel with error-rate (j) and multi-pulse rate rj, called the (0, r/)-weak 
quantum model in DFSS05J ]. can be tolerated for some small enough (but constant) <fi and 77. 



4 Defeating Man-in-the-Middle Attacks 
4.1 The Approach 

In the previous section, we "only" proved security against impersonation attacks, but we did not 
consider a man-in-the-middle attack, where the attacker sits between an honest user and an hon- 
est server and controls their (quantum and classical) communication. And indeed, Q-ID is highly 
insecure against such an attack: the attacker may measure the first qubit in, say, basis +, and 
then forward the collapsed qubit (together with the remaining untouched ones) and observe if S 
accepts the session. If not, then the attacker knows that he introduced an error and hence that the 
first qubit must have been encoded and measured using the x -basis, which gives him one bit of 
information on the key w. The error-tolerant scheme seems to prevent this particular attack, but 
it is by no means clear that it is secure against any man-in-the-middle attack. 

To defeat a man-in-the-middle attack that tampers with the quantum communication, we per- 
form a check of correctness on a random subset. The check allows to detect if the attacker tampers 
too much with the quantum communication, and the scheme can be aborted before sensitive in- 
formation is leaked to the attacker. In order to protect the classical communication, one might 
use a standard information-theoretic authentication code. However, the key for such a code can 
only be securely used a limited number of times. A similar problem occurs in QKD: even though a 

8 [FS08b] does not consider smooth min-entropy, but it is not too hard to see that their results also hold for the 
smooth version. 
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successful QKD execution produces fresh key material that can be used in the next execution, the 
attacker can have the parties run out of authentication keys by repeatedly enforcing the executions 
to fail. In order to overcome this problem, we will use some special authentication scheme allowing 
to re-use the key under certain circumstances, as discussed in Sect. 14.31 



4.2 The Setting 

Similar to before, we assume that the user U and the server S share a not necessarily uniform, 
low-entropy key w. In order to handle the stronger security requirements of this section, we have 
to assume that U and S in addition share a uniform high-entropy key k. We require that a man-in- 
the-middle attacker can do no better that making a guess w' at w, and if his guess is incorrect then 
he learns no more information on w besides that his guess is wrong, and essentially no information 
on k. More formally: 

Definition 4.1. We say that an identification protocol is secure against man-in-the-middle attacks 
by E with error e if, whenever the initial state of E is independent of the keys W and K, there exists 
W , independent ofW , such that the common state pkwe after the execution of the protocol satisfies 

PKWW'E\W'^W ~e PK <8> Pw^W'*-*E\W'^W ■ 

Furthermore, we require security against impersonation attacks, as defined in the previous 
section, even if the dishonest party knows k. It follows that k can for instance be stored on a smart 
card, and security is still guaranteed even if the smart card gets stolen, assuming that the theft 
is noticed and the corresponding party does/can not execute the scheme anymore. We would also 
like to stress that by our security notion, not only w but also k may be safely reused, even if the 
scheme was under attack. 



4.3 An Additional Tool: Extractor MACs 

An important tool used in this section is an authentication scheme, i.e., a Message Authentication 
Code (MAC), that also acts as an extractor, meaning that if there is high min-entropy in the 
message, then the ke y-tag pair cannot be distinguished from the key and a random tag. Such a 
MAC, introduced in [PKRSOd ] . is called an extractor MAC, EXTR-MAC for short. For instance 



MAC* aJ3 {x) = [ax] + /?, where a,x G GF(2 n ), (3 G GF(2 t ) and [.], denotes truncation to the 
t first bits, is an EXTR-MAC: impersonation and substitution probability are 1/2 , and, for an 
arbitrary message X and "side information" Z, a random key K = (A, B) and the corresponding 
tagT= [A-X]+B, the tuple (T,K,Z) is (± • 2~^in( x l z M) + 2e)-close to (U,K,Z), where U is 
the uniform distribution, respectively, ptkze is (\ ■ 2~2 (^mm( x l z ) _< ?~^) + 2e)-close to ^(&Pkze = 
t^I (g) pk <8> Pze if we allow a g-qubit state E that may depend only on X and Z. A useful feature 
of an EXTR-MAC is that if an adversary gets to see the tag of a message on which he has high 
min-entropy, then the key for the MAC can be safely re-used (sequentially). Indeed, closeness of 
the real state, ptke, to the ideal state, (g> pre = 57 1 <8> pk <8> PE , means that no matter how 
the state evolves, the real state behaves like the ideal one (except with small probability), but of 
course in the ideal state, K is still "fresh" and can be reused. 
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4.4 The Scheme 



As for Q-ID, let c : W — > {+, x} n be the encoding function of a binary code of length n with m = \W\ 
codewords and minimal distance d, and for parameter t, let T and Q be strongly universal-2 classes 
of hash functions from {0, l} n to {0, l} e and W to {0, 1} £ , respectively. Also, let M^4C* : /C x A^ — ► 
{0, 1} be an EXTR-MAC with an arbitrary key space /C, a message space A4 that will become 
clear later, and an error probability 2~ £ . Furthermore, let {synj}j e j be the family of syndrome 
functions 9 corresponding to a family C = {Cj}j£j of linear error correcting codes of size n' = n/2, 
as discussed in Section 13,51 any Cj allows to efficiently correct a 5-fraction of errors for some 
constant 5 > 0, and for a random j 6 J r , the syndrome of a string with t = — A)d — log(m) — 3£ 
bits of min-entropy is 2~(* -2l? )/ 4 -close to uniform (given j and any g-qubit state) for some A > 0. 

Recall, by the set-up assumption, the user U and the server S share a password w € W as well 
as a uniform high-entropy key, which we define to be a random authentication key k £ K,. The 
resulting scheme Q-ID + is given in the box below. 



Q-ID+: 

1. U picks x £r {0, l} n and 9 £r {+, x}™, and sends the n-qubit state \x) 9 to S. Write I w := {i : 0i = c(w)i}. 

2. S picks a random subset T C {1, . . . , n} of size £, it computes c = c(w), replaces every Ci with i £ T by 
Cj 6ji {+, x} and measures in basis c. Let x' be the outcome, and let test' := k'|t- 

3. U sends 8, j £r J, s := syrij(x\i v] ), and / £r T to S. 

4. S picks g (z G, and sends T and gr to U. 

5. U sends test := x\t, z := f{x\i m ) ® g(w) and tap* := MAC^(8,j, s,f,g, T, test, z, x\i w ) to S. 

6. S recovers x\i w from x'\i w with the help of test and s, and it accepts if and only if (1) tag* verifies correctly, 
(2) test coincides with test' wherever the bases coincide, and (3) z = f(x\i m ) ffi g(w). 



Proposition 4.2 (Security against man-in-the-middle). Assume that the quantum memory 
o/E is of size at most q qubits at step 3 of Q-ID + . Then Q-ID + is secure against man-in-the-middle 
attacks by E with error e, where 

e = negl{{\ - X)d - log(m) - 2q - 3£) + negl{cj{\)d - log(ra)) + negl(£) 

for an arbitrary < A < j. 

Proof. We use capital letters (W, 0, etc.) for the values (w, 8, etc.) occurring in the scheme 
whenever we view them as random variables, and we write Xyy and X' w for the random variables 
taking values x\j w and x'\j w , respectively. To simplify the argument, we neglect error probabilities 
that are of order e, as well as linear fractions that can be chosen arbitrarily small. We merely give 
indication of a small error by (sometimes) using the word "essentially" . 

First note that due to the security of the MAC and its key, if the attacker substitutes 6,j,s,f, g, T, test 
or z, or if S recovers an incorrect string as x\j w , then S will reject at the end of the protocol. 
We can define W (independent of W) as in the proof of Proposition 13.41 such that if W ^ W 

9 We agree on the following convention: for a bit string y of arbitrary length, syrij(y) is to be understood as 
syrij(y0- ■ -0) with enough padded zeros if its bit length is smaller than n', and as (syrij(y'),y"j , where y' consist 
of the first n and y" of the remaining bits of y, if its bit length is bigger than n . 
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then Xw has essentially d/4 — log(m) bits of smooth min-entropy, given W, W and 0. Further- 
more, given TAG*, F(X W ), TEST (as well as K,F,T,W,W and O), X w has still essentially 
t = d/A — log(m) — 3£ bits of smooth min-entropy, if W ^ W. By the property of the code 
family C, it follows that if t > 2q with a linear gap then the syndrome S = synj(Xw) is essen- 
tially random and independent of J, TAG*, F(X W ), TEST, K, F, T, W, W , O and E, conditioned 
on W 7^ W'. Furthermore, it follows from the privacy-amplifying property of MAC* and of / 
that if cZ/4 — log(m) — 21 > q with a linear gap, then the set of values (TAG* , F(X\y)) is es- 
sentially random and independent of K, F,TEST,T,W,W' ,0 and E, conditioned on W ^ W'. 
Finally, K is independent of the rest, and E is independent of K, F, TEST, T,W,0. It follows that 
Pkww'e\w^w ~ PK ® Pw<->W'<-*E\W'^W, before he learns S's decision to accept or reject. 

It remains to argue that S's decision does not give any additional information on W. We will 
make a case distinction, which does not depend on w, and we will show for both cases that S's 
decision to accept or reject is independent of w, which proves the claim. But first, we need the 
following observation. Recall that outside of the test set T, S measured in the bases dictated by 
w, but within T in random bases. Let V w be the subset of positions i £ I w with a = c(w)i (and 
thus also = 9i), and let T' = T f] I' w . In other words, we remove the positions where S measured 
in the "wrong" basis. The size of T' is essentially £/4, and given its size, it is a random subset of 
I' w of size \T'\. It follows from the theory of random sampling that i/(x\i' ,x'\p ) essentially equals 
is(x\t', %'\t') (except with probability negligible in the size of T'), where u(-, •) denotes the fraction 
of errors between the two input strings. Furthermore, since the set V = {i G T : 6% = q} of positions 
where U and S compare x and x' is a superset of T' of essentially twice the size, v(x\y, %'\v) is 
essentially lower bounded by | v(x\ T i,x'\t')- Putting things together, we get that u(x\j^,x'\j^] is 
essentially upper bounded by 2 u(x\ y, x'\y) . Also note that v[x\y ,x'\y) does not depend on w. We 
can now do the case distinction: Case 1: If v(x\y, x'\v) < | (minus an arbitrarily small value), 
then x\p and x'\r differ in at most a 5-fraction of their positions, and thus S correctly recovers x\j w 
(using test = x\t to get x\i w \j^ and using s to correct the rest), no matter what w is, and it follows 
that S's decision only depends on the attacker's behavior, but not on w. Case 2: Otherwise, S is 
guaranteed to get the correct test = x\t (or else rejects) and thus rejects as test and test' , restricted 
to V , differ in more than a |-fraction of their positions. Hence, S always rejects in case 2. □ 

For a dishonest user or server who knows k (but not w), breaking Q-ID + is equivalent to breaking 
Q-ID, up to a change in the parameters. Doing the maths on the parameters similarly to the proof 
of Theorem 13.61 (namely, choosing I = ~ A)d + log(m) — 2g) whence e = negl{i-g — \)d — 
71og(m) — 2q)), it then follows: 

Theorem 4.3. If H min (W) > 1, then the identification scheme Q-ID + is e-secure against a man- 
in-the-middle attacker with quantum memory bound q, and, even with a leaked k, Q-ID + is e-secure 
against impersonation attacks for any unbounded user and for any server with quantum memory 
bound q, where 

e = negl((j — \)[in — 71og(m) — 2q) + negl[a(X)/j,n — log(m)) 

for /u = h~ 1 (l — log(m)/n) and an arbitrary < A < v. In particular, i/log(m) is sublinear in n, 
e is negligible in n — 16g. 

It is easy to see that Q-ID + can tolerate a noisy quantum communication up to any error rate 
<fi < 5. Similar to the discussion in Section 13.51 tolerating a higher error rate requires the bound on 
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the adversary's quantum memory to be smaller but still linear in the number of qubits transmitted. 
Imperfect sources can also be addressed in a similar way as for Q-ID. It follows that Q-ID + can also 
be shown secure in the ((f), rj)-weak quantum model provided eft and n are small enough constants. 

5 Application to QKD 

As already pointed out in Section 14.11 current QKD schemes have the shortcoming that if there is 
no classical channel available that is authenticated by physical means, and thus messages need to be 
authenticated by an information-theoretic authentication scheme, an attacker can force the parties 
to run out of authentication keys simply by making an execution (or several executions if the parties 
share more key material) fail. Even worse, even if there is no attacker, but some execution(s) of 
the QKD scheme fails due to a technical problem, parties could still run out of authentication keys 
because it may not be possible to distinguish between an active attack and a technical failure. This 
shortcoming could make the technology impractical in situations where denial of service attacks or 
technical interruptions often occur. 

The identification scheme Q-ID + from the previous section immediately gives a QKD scheme in 
the bounded- quantum- storage model that allows to re-use the authentications key(s). Actually, we 
can inherit the key-setting from Q-ID + , where there are two keys, a human-memorizable password 
and a uniform, high-entropy key, where security is still guaranteed even if the latter gets stolen 
and the theft is noticed. In order to agree on a secret key sk, the two parties execute Q-ID + , and 
extract sk from x\j w by applying yet another strongly universal-2 function, for instance chosen by 
U in step [3] and authenticated together with the other information in Step 5. Here, n needs to be 
increased accordingly to have the additional necessary amount of entropy in x\i w . The analysis of 
Q-ID + immediately implies that if honest S accepts, then he is convinced that he shares sk with 
the legitimate U which knows w. In order to convince U, S can then use part of sk to one-time-pad 
encrypt w, and send it to U. The rest of sk is then a secure secret key, shared between U and S. 
In order to have a better "key rate" , instead of using sk (minus the part used for the one-time-pad 
encryption) as secret key, one can also run a standard QKD scheme on top of Q-ID + and use sk as 
a one-time authentication key. 
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A Proofs 

A.l Proof of Lemma 12.11 

Writing p = P[£] and p = P[£] we indeed get 

Px^y^e = ^PxY{x,y)\x)(x\ (g> \y)(y\ <g> p% 
x,y 

= X) (p " p xv\e{x, y)+p- P X y\b( x , y))\x)(x\ <8> \y)(y\ ®{p- p y E \ e +p- p y E ^) 
= P 2 'Yj P xy\s(x, y)\x)(x\ ® \y)(y\ ® p y E]£ + (1 - p 2 ) ■ r 

= p 2 ■ Px~Y~E\£ + (1 - P 2 ) ■ T 
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for some density matrix r. If £ is independent of X and Y, so that Pxy = Pxy\S = P X y\£i then 

px^Y^E = Pxy(x, y)\x)(x\ (8) |2/><2/| (8) p|; 
x,y 

= ^PxY{x,y)\x)(x\ ® \y)(y\ ® {p ■ P V E \ £ + P ■ P E][£ ) 
x,y 

= P-^2PxY\s(x,y)\x){x\ ®\y){y\ ® p y E]£ +p ■ ^2P XY \ £ (x,y)\x)(x\ ®\v)(v\ ® P E \e 



x,y x,y 
P • Px^Y^E\£ + P ■ PX^Y^E\£ ■ 



□ 



A. 2 Proof of Lemma 12.21 

For any pair i ^ j let £ij be an event such that P[£ij] > 1 — e and 

^Pz(^) • maxP XjXj . ft .| Z (x i ,x i |z) < 2~ a (2) 

for all Xi £ Xi, xj S ^ and z £ Z. By assumption, such events exist. 10 For any j = 1, . . . , m — 1 
define 

= {(xi, . . . ,x m ,z) : P Xl | Z (a;i|«), . . . , Px^zipj-^z) < 2~ a ' 2 A P Xi \z(xj\z) > 2~ a / 2 } 

Informally, Lj consists of the tuples (xi, ■ ■ ■ , x m , z), where Xj has "large" probability given z whereas 
all previous entries have small probabilities. We define V as follows. We let V be the index j £ 
{1, . . . , m — 1} such that (Xi, . . . , X m , Z) £ Lj, and in case there is no such j we let V be m. Note 
that if there does exist such an j then it is unique. 

We need to show that this V satisfies the claim. Fix j £ {1, . . . , m}. Clearly, for i < j, 

J2 p z(z) •max.Px i ve ij \z(^uj\") </~2Pz{z) ■ m&xP XiVlz (xi, j\z) 

(3) 

= Y J p z{z) ■ ^P Xl \z{xi\z)P v \xM^ z ) < 2 ~ a/2 • 

z 

Indeed, either P x ^\z(xi\z) < 2~ a / 2 or Pv\Xiz(j\ x i, z) = by definition of V. Consider now i > j. 
Note that 

Vp z (z) • maxP Xi v£ i:j \z{xhj\z) = S^Pziz) • max V Px.x.vs^zixi, xj, j\z) 

Xi Xi 

z 2 Xj (4) 

< 2 «/2 ^ p z ( z ) . n,ax/' v Vi . Z !.r,. Xj \z) < 2~ a / 2 , 

where the last inequality follows from the assumption ([2]) and the first is a consequence of the fact 
that the number of non-zero summands (in the sum over xj) cannot be larger than 2 a l 2 , because 



10 In case e — 0, i.e., a lower bounds the ordinary (rather then the smooth) min-entropy, the Eij are the events "that 
always occur" and can be ignored from the rest of the analysis. 
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for any Xj with PxiXVSi\z{ x ii x jij\ z ) > 0> it also holds that Px-\zi x j\ z ) — 2 a ^ 2 and the sum 
over all those Xj would exceed 1 if there were more than 2 a / 2 summands. Note that per-se, £ij is 
only defined in the probability space given by Xi, Xj and Z, but it can be naturally extended to 
the probability space given by X±, . . . , X n , Z, V by assuming it to be independent of anything else 
when given Xi,Xj, Z, so that e.g. PxiV£i\Z 1S indeed well-defined. 

Consider now an independent random variable W with H m - m (W) > 1. By the assumptions on W 
it holds that P[V^W] > ~ and Px w vwz( x i, j, h z) = Px % vwz{x u j,h z) = Px l vz{xi,j-,z)P w (i)- 
In the probability space determined by the random variables X± , . . . , X n ,V,W,Z and all of the 
events £ tj , define the event £ as £ := £ wv , so that Px w vwe\z( x hjA z ) = p x l vw£ lj \z{xi, j,i\z) = 
Px 1 V£ l3 \z{xi,j\z)Pw(i)- Note that 

P[£] = Y J Pywe wv (3,i) =J2 p ve ij U)Pw(i) < X)P[^-]iV(0 < me 

i,j i,j i,j 

and thus P[S\V^W] < P[£)/P[V^W) < 2me. From the above, it follows that 
p gaBSB (X w ,£\VWZ,V / W) = ^ max P Xw vwzs\v^w( x J, hz) < 2 ^ max P Xw vwze{x,j, i, z) 

z,i,j Z,i^j 

= 2 ^2 Pz ^ ' m & xP x w VW£\z(x,j,i\z) = 2 p zi z ) ■ ™&x.Px i V£ ij \z( x u3\z) ■ Pw{i) 
= 2 Y^Pwii) V Y J Pz{z) ■ m a xP XtV£i]lz ( Xl ,j\z) < 2m ■ 2~ a ' 2 , 

where we used ([3]) and (JH) in the last inequality. The claim now follows by definition of H min . □ 
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